In the transmission of confidential data, it is often required both that on the one hand the data are confidential and on the other hand that it is also ensured that the received data have been transmitted unchanged and thus also without error. These two characteristics are described by the two security services of confidentiality and integrity.
It was previously standard to realize the security services confidentiality and xe2x80x9cexplicit integrityxe2x80x9d in a manner chronologically and logically separate from one another and in two independent operating steps.
Standardly, there took place a determination of what is known as a message authentication code (MAC) as a proof of integrity. For the formation of an MAC, arbitrary hash methods or also methods according to the ISO-9797 standard can for example be used. Subsequently, it has previously been standard to encrypt the message. For the encryption, what are known as block encryption methods have been used in the transmission of data blocks. For the flow-oriented encryption, it is thereby known to use what is called a chaining mode in the context of the block encryption, for example what is known as cipher block chaining mode (CBC Mode).
The separate realization of the two security services confidentiality and integrity in two separate operating steps is very expensive, which is a significant disadvantage particularly in transmissions of data with a very high required data rate.
With the use of the method described in the ISO-9797 standard, it is also for example required to use and to manage two different symmetrical key pairs. This leads to a considerable additional required computing expense in the key management of the cryptographic keys.
In order to ensure the security service confidentiality as well as the security service integrity together in one operating step, a block-oriented encryption mode for the transmission of data blocks would be required, having the characteristic of effecting a strong error propagation of the encrypted data stream at the receiver in case of accidental or malicious disturbances of the encrypted data stream during transmission between a sender and a receiver.
The known chaining modes often have a weak error propagation due to what is known as self-synchronization, e.g. the CBC mode. The known chaining modes with strong error propagation also contain cryptographic weaknesses, as a result of which they are unsuitable for the common ensuring of integrity and confidentiality implicit in an encryption method, i.e., in a method step.
An overview of various chaining modes may be found in C. J. A. Jansen, Investigations on non-linear Streamcipher Systems: Construction and Evaluation Methods, PhD. Thesis, Philips USFA BV., pages 22-28, 1989; or in B. Schneider, Angewandte Kryptographie, Addison-Wesley Publishing Company, Bonn, ISBN 3-89319-854-7, 1st ed., pages 227-246, 1996.
What is known as a CBC message authentication code (MAC) contains only a limited and fixed number of information bits. The security of an identity check value (integrity check value, ICV) used is given thereby. The security of the CBC-MAC is thus not scalable.
In addition, from Kohl, The use of Encryption in Kerberos for Network Authentication, Advances in Cryptology, CRYPTO""89, LNCS, Vol. 435, pages 36-39, Springer Verlag, 1990, a chaining mode is known with strong error propagation, called plaintext cipher block chaining mode (PCBC mode). The Kohl reference further specifies that with the use of the PCBC method a modification of the sequence of the transmitted encrypted data blocks cannot be recognized. For this reason, the PCBC method and also the CBC mode cannot be used with what is called a constant integrity check value (CICV) for securing the confidentiality and the implicit integrity of a transmitted data stream.
From S. M. Matyas et al, Message Authentication with Manipulation Detection Codes; Proceedings IEEE 1983 Symposium on Security and Privacy, Oakland, Calif., pages 66-365, 1993, the principle of what is called xe2x80x9cimplicitxe2x80x9d integrity and the general principle of a chaining mode are known.
The invention is thus based on the problem of indicating an arrangement and a method for the cryptographic processing of a digital data stream, with which arrangement or, respectively, method both the security service of confidentiality and also the security service of integrity is possible with a reduced requirement of computing capacity.
In the arrangement, of the present invention, a first processing element is provided for at least one part of the data blocks to be transmitted of the data stream, which element contains at least one first logic unit, an encryption unit, and a second logic unit. The first logic unit is supplied with the data of the respective data block via a first input, with the data of a preceding data block via the second input, and with a preceding intermediate quantity via a third input. In the logic unit, these quantities are combined to form a combination quantity. The combination quantity is supplied to the logic unit, in which a block encryption method is applied to the combination quantity. The result of the block encryption is an intermediate quantity which is supplied to the second logic unit. In addition, the second logic unit is supplied with a previously cryptographically processed data block. By combination of the intermediate quantity with the preceding cryptographically processed data block, the cryptographically processed data block is determined for the respective data block. The totality of the cryptographically processed data blocks yields the digital data stream to be transmitted.
In the arrangement of a further embodiment of the present invention, for at least one part of cryptographically processed data blocks a second processing element is provided that comprises at least a third logic unit, a decryption unit, and a fourth logic unit. The received cryptographically processed data block is supplied to the third logic unit via a first input, and at least one preceding cryptographically processed data block is supplied to the third logic unit via a second input. The data blocks are combined with one another in the third logic unit. The result of the combination in the third logic unit is the intermediate quantity. The intermediate quantity is deciphered with the decryption unit, and a combination quantity is determined. The fourth logic unit is supplied with the combination quantity via a first input, with at least one preceding intermediate quantity via a second input, and with at least one preceding data block via a third input, and in the fourth logic unit is combined to form the data block.
In the arrangement of a further embodiment of the present invention a transmission unit and a receive unit are provided. In addition, a transmission system is provided between the transmission unit and the receive unit for the transmission of the cryptographically processed data stream.
Among other things, the arrangements have the advantage that for the first time an encryption and an integrity securing are possible in one processing step, the encryption. An additional, explicit integrity securing is no longer required in this arrangement. This leads to a considerable processing speed, which can at a maximum be doubled, in the cryptographic processing of a data stream.
In addition, the arrangements have the advantage that a chaining mode is realized that is significantly superior to the known chaining modes, because on the one hand it comprises a strong error propagation, and on the other hand the attacks that could not be recognized with the PCBC mode can also be recognized.
The securing of the implicit integrity by means of the use of a constant integrity check value (CICV) and the encryption of the data with a strongly error-propagating chaining mode enables an advantageous scaling of the security by means of the use of arbitrarily long ICVs.
In the method according to the present invention, an intermediate quantity is determined from a data block, by encrypting the data block with a block encryption method, taking into account at least one preceding data block and at least one preceding intermediate quantity. In addition, a cryptographically processed data block is determined from the intermediate quantity by means of combination with at least one preceding cryptographically processed data block.
The method according to another embodiment of the present invention essentially comprises the inverse steps to the method described above. An intermediate quantity is thereby determined from the cryptographically processed data block by means of combination with a previous cryptographically processed data block, and a combination quantity is determined from the intermediate quantity using a block encryption method, by decryption of the intermediate quantity. The combination quantity is combined with at least one preceding intermediate quantity and with at least one preceding data block, whereby a data block is determined.
In the method according to a further embodiment of the present invention, the method steps above described are combined with one another in such a way that the cryptographically processed data are first formed in a transmission unit, are transmitted by the transmission unit to a receive unit, and the cryptographically processed data are then in turn processed according to the method with the inverted steps.
In order to increase the cryptographic security both of the arrangement and also of the methods, it is advantageous to take into account a first predeterminable value in the logic units, or, respectively, in the combination of the first data block or, respectively, cryptographically processed first data block.
The security of the chaining mode can advantageously be increased in relation to other known chaining modes in that a second initialization value is used in the first processing stage as an additional secret parameter.
Both the arrangements and also the methods can advantageously be used both for encryption alone, for integrity securing alone, and also for common encryption and integrity securing.